Tardigrade speed, bugs and bug bounty program

1 month passed after the pre-announcement of the bug bounty program, but no documentation, criteria and reward data appeared.

In the hope of a speedy launch and good rewards (1,000- 10,000 usd), I did some research looking for bugs and vulnerabilities. In the list of actual bugs there are problems with money (again, first big bug: Unlimited egress for beta test or limited=unlimited?). Problems with fast degradation of the speed of the entire network and some other interesting things.

Since there were no updates in a month, in my opinion the search for bugs is not an important area. For this reason, I am going to publish bugs and steps to reproduce on June 19, 2020.

For example normal upload speed:


Speed after degradation:


4 Likes

Hi there, our team is small (a few part-timers and 1 intern) and has many duties. Like every startup, it means we must do a lot of activities within a limited amount the 24 hours of each day. I need to say here that although there may be impatience with the time-to-launch of certain features, we as the team are the most impatient of all while we work to launch multiple community initiatives, because we have so much planned for this community that we love. (The dynamic is very similar to software development roadmapping in that regard. We can do everything but we cant do everything simultaneously)

We are always striving to show consideration to our members and listen to what people have to say.
Clear communication from both sides helps with that. The initial thread you posted did not mention a bounty was expected, and comments from multiple members were interleaved. I did not see a request for a reward in the original discussion.

We subsequently spoke about your thoughts over DM. When I understood your disappointment, which had not been clearly articulated until that point, we immediately apologized for your feelings and provided you with a timeline to get an response, so that you could find closure.

I don’t discuss the specific details of individual’s financial situations in public. In your situation was discussed with several engineers and escalating all the way up to 2 of the VPs here, a number was suggested by the team.

I reached out to you personally, to ask how we can be better in actionable ways and offered to pay you a fee for that feedback. We always want to improve our communications and our processes.

Although the official terms of the bounty program are still forthcoming, please note that responsible disclosure is a value the engineering team cares about as well. Bugs that are not disclosed responsibly will not be eligible for a payout.

Hi @jocelyn

I was the initiator of this topic

Unfortunately, this topic was automatically closed:

And I can’t write to the original topic.

I would like to ask you, how I can report critical bugs (especially security issues)? Do we have any forms or rules on how to report it?
I well know how to report usual bugs on GitHub, but critical and security issues have very sensitive information, and I don’t like report sensitive information for the public.

2 Likes

JT and I agreed on a format for that today, and some instructions – give me a few more minutes and I can post after Ive finished creating the webform <3 thank you!

3 Likes

It seems that we have a misunderstanding. I have problems expressing my thoughts, especially in English. This topic does not apply to our personal discussion, it is generally about a bug search program and I just wanted to ask about the status of the program. I had no complaints about payments, I just wanted to report that I had discovered more problems related to the financial part on satellites and would like to issue these errors according to the regulations.

3 Likes

HI GrolaG no worries! I think your English skills are great

Maybe now is a good time for me to tag @jtolio and the two of you could discuss some of the findings you had, over a DM or email exchange? I am sure he’d be interested in talking with you

thanks again for being part of the community :slight_smile:
– J

3 Likes

eurgh , I wasnt thinking straight and made the form in Google Forms. I just realized some folks would become annoyed by that, since Google forces you to sign in via gmail… Im remaking the form with Typeform to avoid that.

2 Likes

For example, I would like to see something like this list (in terms of simple and clear)


And then: “Well, I have vulnerabilities such as a partial denial of service and information about an error in working with finances. For the first, they will not give me anything, so I will briefly describe it briefly and second will give me 133.7 something and I’ll describe it completely”

1 Like

As far as I remember, an account is optional. I recently created a form.

1 Like

thats similar to what I discussed with Bill , one of our engineers. thanks for the validation! He also did some preliminary work on a “severity calculator” that may be incorporated in the future.
I’m not sure if this specific menu of prices in the screenshot would translate. It might need to be something more like tiers with minimum threshold. Its one of the things we’re discussing

2 Likes

Yes, the prices in the picture are just an example of design (these are Microsoft prices).
In our case, there may be something like “Bug in working with money in billing: low 100-500, meduim 500-1000, high 1000-2000, critical 2000+”

3 Likes

Updated reporting form is here:

https://forms.gle/kCgJCQGBmwENPzJi8

(if there are any issues with submitting, please let me know thank you!)

I sent one report. I will issue one more tomorrow :wink:

2 Likes

awesome thank you! And thanks too for letting me know the form settings worked

It would be nice to have some guidelines about what kind of bugs should be posted through the form and which could be posted on the forum.

In the past I’ve pretty much just posted all my feedback on the forum as I think the public discussion could add value to anything I’ve found. But the other side of that is that it’s instantly published to the public, which is fine for many things, but probably not for others. I’d like to follow your guidelines on that and it would help to also know for which kinds of things compensation could be available. Is it just security related bugs or exploits? Or other things as well, like data that’s being displayed wrong, node payouts that are delayed, errors in logs? To me this topic kind of raised more questions that it answered so far.

I understand that you’ve only just picked this topic up, so consider this as feedback for future expansion on this topic.

4 Likes

We love that feedback, thank you

I can pick up this conversation with John and JT. I think its mainly security exploits or issues. We’re working to write the guidelines, in order to clarify this. My personal preference if for transparency as the default, and discretion when there is a chance of harm. But “chance of harm” can be a surprisingly slippery slope. So I hope Im not being naive when I say that hahaha . Thats what the guidelines should help with.

Thank you for asking the question

Yeah that 3 days rule should be removed or else extended to 6 months… that’s the first bug (of this forum).

1 Like

i think that one may be on me. I was trying to make some changes so that people who vote on a topic can “get back” their votes. sometime when you go to fix one issue, you create another. Its about midnight in my timezone, so I need to log off… but I’ll revisit this when Im awake and have a break in the day. I’ll bookmark the thread so I remember. thx!

2 Likes

Good night Jocelyn// :sleeping:

lol thanks @jcn50

So, i have turned off the auto-close on topics. I think that should help.
I will also bump up the number of votes people on the Voting categories, to address the other issue

2 Likes